--

Security Troubleshooting – AAA Troubleshooting

So far we have two posts on security troubleshooting — there’s so much to this one topic that I can’t say WHEN we will ever finish it! This week’s post focuses on an often targeted area of authentication and/or authorization failures and determining their cause.

We’ll utilize two key concepts from the first post in this series — namely, that knowledge of the authentication/authorization protocols can be valuable along with having multiple troubleshooting tools at your disposal.

First of all, for those who may not be acquainted with the acronym, AAA stands for Authentication Authorization and Accounting. The first paragraph left out accounting since this feature almost always operates successfully once authentication and authorization are successfully operating. In troubleshooting authentication, my experience showed that using specific debug tacacs+ or debug radius commands often provide too detailed and obscure output to anyone except those extremely knowledgeable in the protocols.

Instead, the debug aaa authentication generic command has several advantages over the more protocol-specific ones. First, it can be used across the router, switch, and ASA platforms.

As seen above, there are several places where the output can be seen in the form of: attribute = value. Several key attributes shown above are user, Method, service, and status. While this sample illustrates authentication using the local database, this debug command could be used for TACACS+, RADIUS, or other means of authentication. In a similar fashion, debug aaa authorization also displays these attribute – value pairs:

In this sample, the network administrator needs to ensure that the “shell” attribute is allowed for the jdoe user under his TACACS+ authorization attribute list to correct this problem. We’ll discuss the subject of the specific “gotchas” with local logins in a future posting.

In this article

RELATED ARTICLES

There are many interesting new issues that seem to have come with the addition of voice and video to the data network. Most of the engineers that are now working on VoIP networks come from either a pure data network background or a traditional phone system background. Each network offered certain issues that where common …
Read More